This is getting a bit off topic, but: version pinning is not actually enough. If a project has only published projectname-1.0.0.tar.gz and an attacker comes along and publishes projectname-1.0.0-py3-none-any.whl, pip and other installers will start installing the latter instead, even though the version pin is unchanged.
Same is true for just wheels too, because there can be multiple “compatible” wheels published, and pip will prefer wheels with more specific tags over less specific tags.